The increasingly ubiquitous use of computers and processors for controlling equipment and systems has led to new vulnerabilities and susceptibilities of the controlling and controlled equipment to be operated in an unwanted manner due to, for example, hacking and other malicious or unauthorized access for command and control of the affected systems. There is also an increasing trend of such systems being provided in networked communications, and the advent of control being provided at ever more minute levels. Especially important is the ability of the affected system to continue to operate with minimized disruptions or effectiveness in the presence of a cyber security threat or breach of the system.
Furthermore, cyber security forensics functions depend on highly structured conformance to log formats for generation and transmission capabilities. Identity, network time stamps and event message formats are examples. Without this structure there is no effective way to reconstruct the time sequencing patterns that reveal the presence of unauthorized actions and actors inside of a network. Limitations in the capacity of embedded Process Control Networks (PCNs) such as, for example, PCNs used onboard ships, hamper the ability to apply the forensics functions. The operational impact is heightened by the evolving move to information-led combat missions with a greater dependency on the resiliency of cyber physical systems on the hull mechanical and engineering (HM&E) systems.
For example, Control Systems (CS) such as those aboard ships serve to monitor and control vital functions: steering, propulsion, life support systems, electrical power systems, and even play critical roles in its ship-borne weapons systems. Little of what happens aboard ships is outside the scope of control systems. The Programmable Logic Controllers (PLC), Remote Terminal Units (RTU), Supervisory Control and Data Acquisition (SCADA), and Human Machine Interface (HMI) are all elements of a networked CS.
Together, many parts of the CS aboard a ship can comprise the Process Control Network (PCN)—a network of devices cabled together, or sometimes connected over RF communications, and operating in a similar manner as information technology (IT) systems—a series of networked elements: computers connected with routing and switching components with each element performing specific system functions. The PLCs, RTUs, DCS, SCADA and HMIs are computing devices similar to servers, desktops, laptops or tablets. Each of these elements of a CS network may have commercially available operating systems (such as VxWorks) that have published (known) and potentially yet unknown (so called zero day) vulnerabilities. These vulnerabilities form one vector of attack—one of the links in the kill chain sequence; the chain of events from initial access to the exploitation of a vulnerability that can give the attacker root administrative access or system control access.
However, there are also significant differences from an IT system. Log management is one difference: CS network elements may not generate and collect log information as needed to effectively perform digital forensic (hereafter referred to simply as forensic) functions in the manner understood and used in typical IT systems. For example, with respect to FIG. 1, conventional CS networks do not provide generation of log data between Levels 0 and 1 devices. (Levels as defined in the Purdue Enterprise Reference Architecture for Industrial Control System (ICS), as described, for example, at https://en.wikipedia.org/wiki/Purdue_Enterprise_Reference_Architecture).
Referring to FIG. 1, signals generated by the sensors (Level 0) attached to the physical devices are analog—represented as current or voltage. They are not structured as IP packets. Devices at Levels 1 and up may communicate log data using either UDP or TCP Internet Protocol (IP) protocol formats. Without Level 0 information investigators are missing the ability to compare the analog information at Level 0 and the digital (packet) information at the higher levels in the architecture (Levels 1-3). This means that there is no means to resolve whether the physical device is behaving as designed. In contrast, IT systems generate and collect logs for every layer in the network. This problem is at the heart of a principle in forensics called provenance. In this case, the provenance is the information at the physical level, Level 0, as captured by a sensor and communicated up to the various control systems. Without this provenance in the chain of log data there is an insufficient basis to trust the logs higher in the chain.
Other problems stem from not providing the same level of consistency in the log data formats. For example, an attacker can easily compromise UDP traffic using methods including spoofing, dropping the traffic and data modification. With no network level authentication, reliable delivery or reference time stamp, whatever log information can be collected can be effectively useless for forensic processes.
Furthermore, a man-in-the-middle (MITM) adversary with access into the network may insert attacks at the most impactful level and time to mask information reported up the network hierarchy (where decisions are made) creating a false state of the physical system. Without having the log information that starts at Level 0 and up, there is no way to perform the data fusion needed to enable the analysis/correlation necessary to indicate the presence of a MITM attack.
In addition, PCN-based networks can have a reduced level of system resource capacity as compared to an IT network. Typical IT network features operate within a network with greater capacity (e.g., bandwidth) and tolerance (e.g., longer latencies) than are acceptable in a deployed PCN. Resource constraints and the requirement for reliable process control and monitoring for the safe and stable operation of ICS processes play a role in this problem; this forces limitations on the potential of what can be captured, stored and processed within the CS.
Also, lack of a standardized log structure can hamper effective log management, which requires an absolute adherence to structure so that the information can be properly parsed and fed to the analytical tools. Correlation without a common log structure (message delineation, time stamps, identification, etc.) is difficult to impossible. Even the slightest difference, as in the encoding of a time stamp, can yield completely wrong, potentially dangerous information.
Thus, existing PCN-based systems can be confronted with an operational blind spot, because without log or monitoring services there is little effective forensics capability. Without a forensics capability, there is no way to know whether a critical malfunction was caused by a part failure or a cyber attack.
There is another key difference with respect to IT systems regarding the insufficient logging capabilities in current generation Control System (CS). It is best described as an insufficient security layer in the CS architecture. Consider the layers in the architecture of a ship's cyber physical systems, as shown in FIG. 3. There is a physical layer (e.g., turbine, rudder, and engine). There is also a safety layer to monitor when something goes wrong at the physical layer. These can be backups, breakers, or escape valves. The CS layer has sensors connected over a network to communicate state data up to the Control Devices in a hierarchical structure sent to the control and monitoring center (SCADA) where control functions communicate down to the field devices to create the desired action at the physical layer. With the exception of the physical and, in some cases, the safety layer, all layers use standardized computer platforms and communicate over industry standardized (sometimes vendor proprietary) communication protocols. A standardized logging activity is common to IT systems. This is referred to as Log Management. However, computers and computer networks can be hacked, a supply chain can be penetrated, and trusted insiders can be compromised or become self-radicalized. This is why a security layer is needed. The security layer is essential to IT systems and, arguably, more so for the control of physical systems.
Control Systems were engineered electronically and physically isolated, and therefore thought to either be immune to compromise or sufficiently protected by its safety systems. In the past, an argument could have been made that there was no need for a security layer. However, it is now generally understood that those reasons no longer apply: the CS cannot logically or physically be isolated when there are standard computers involved that run on commercially available operating systems (OS), when these systems are networked to communicate over wired or wireless paths and when there are numerous I/O ports that provide means of access. Thus, in many regards, the conventional security layer is insufficient in the PCN.
In addition, log services depend on other parts of a defense in depth security structure. A security layer is comprised of foundational elements such as identity, access management, asset management, log management, event management, configuration and data protection management, incident management, network management, network segmentation, etc. Foundations cannot be done in part; to have an effective security layer all elements of the foundation must be integrated and orchestrated together. As an example, a log event recorded for a device with insufficient identity credentialing and control must not be trusted, as it cannot answer the most basic forensic question, “What entity (device or human) took this action?” Identity management, as exists for some IT systems, may not be provided by the typical PCN; i.e., the PCN logs are insufficient for forensics. The problem of logs for forensics is inextricably tied to all parts of a security layer. It does not work in isolation.
Further, the problem has many dimensions. Log management absent the foundational security layer cannot be used in trusted ways. A forensics solution is a higher-level function that is dependent on the integration of all the layers discussed here. They must be designed with the assumption that there exists a capable adversary who can employ the same techniques of information warfare becoming a part of future cyber attack campaigns. The problem definition must be described in terms that make explicit the security interdependencies between these layers. This problem is not easily fixed as these security features cannot be turned on inside the PCN because (1) these features may not be natively supported by CS devices and (2) these features might degrade the reliable process control and monitoring that are essential for the safe and stable operation of the control systems.
Thus, it would be advantageous to provide a system and method for monitoring, detecting, informing, correcting, and collecting/storing relevant information to protect and secure against threats, that addresses the above-discussed log management and forensics problems, CS resource constraints in the PCN, the gap in log generation and collection, particularly at Level 0 and 1, that is itself secure, and that addresses the foundational elements of the security layer.